Important change to IP Source Guard ARP Inspection
All Replies
-
My one last try. Based on your ACL solution, select 'discard the packet' for 'forwarding action' in the policy and keep the rest setting as you've done. It should block ARP packet between end device but forward to the GW.Try to see if it meets what you needs.0
-
Yes it block ARP...but it blocks ARP try to go to the GW even if I allow ARP for the GW MAC I still need ARP to broadcast so this will ARP the VLAN which I don't want.
I think the best option would be ARP isolation option in VLAN port settings
heres what I need:
ARP to the proxy ARP GW
broadcast traffic between PC's like NetBIOS
can't spoof GW ARP
can't spoof local subnet ARP
I can get 3 of the 4.
0 -
I think! I solved it!
It turns out that IP Source Guard ARP Inspection does in fact check ARP when its a broadcast but not for Unicast ARP IF you only make a Classifer for ARP DestMac = ff:ff:ff:ff:ff:ff then do the Send the packet to the egress port and ARP Inspection scans it first! Then when Unicast ARP happens ARP Inspection scans that.
Well it mostly works....So if ARP Inspection works on broadcast with Send the packet to the egress port for ARP then why not Unicast ARP too me this seem more like a bug.
So the way it works now is I have Classifer for ARP DestMac = ff:ff:ff:ff:ff:ff with Send the packet to the egress port and ARP this allows ARP Inspection to work and then the client sends Unicast ARP to the GW proxy ARP but this does not stop even with ARP Inspection working on Unicast ARP a client from sending a Unicast ARP with legit sender MAC/IP to target MAC/IP which bypasses the proxy ARP between clients...
the only way to solve that would be to make a Classifer ARP DestMac block list per port so if you have 20 MAC's on 20 ports you have to do 400 Classifer rules!
BUG
Classifer for ARP DestMac = ff:ff:ff:ff:ff:ff with Send the packet to the egress port ARP Inspection works
Classifer for ARP with Send the packet to the egress port ARP Inspection dose not work
Well odd it was working with ARP Inspection and Classifer for ARP DestMac = ff:ff:ff:ff:ff:ff with Send the packet to the egress port now its not SO guess I this need ARP isolation option
0 -
Hi,
Sorry for this late reply.
As discussed in private message that we still insist on enabling ARP Inspection on switch is enough for you to against ARP spoofing for your scenario.
If you have any other thought, please feel free to post your idea in idea section.
We will have agent to investigate if your idea is resonable.
Regards,Adam
0 -
But as said If I use IP source guard + ARP Inspection without proxy ARP then clients will connect to other clients at the switch level, with proxy ARP clients must go through the GW which you can firewall by from lan to lan rule on the GW.Zyxel_Adam said:
As discussed in private message that we still insist on enabling ARP Inspection on switch is enough for you to against ARP spoofing for your scenario.0 -
@PeterUK
As talked in private message, based on our understanding that since NetBIOS community is between PCs. Using ACL forwards PC's traffic to GW with Proxy ARP enabled may be conflicted in your scenario.Adam
0 -
0
Zyxel Employee
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
